xred | 5de180ff35a8a0835dc704f4b8551fb1bb196837358c2020f84849c4f517fad8

Analysis

max time kernel
144s
max time network
142s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord Account Generator v2/DiscordGenerator.exe
Size

226KB
MD5

768baf6ab6a559b6f01db21660baea67
SHA1

e3ac1aa045def382517ee8ad34f17b73083df128
SHA256

5f87f1ab9a87bd981a4a2c6173989948086ed8681763fec48cdc4fb1ae854237
SHA512

96404cd3a7c42bd6ad98e17f8a790dca48d5287dfb7169bc696870a07a139b16eb1cd3f8c46a281e4e2d93bde06e6c2d6e48be4a6c767c5add7742743471cf5d
SSDEEP

3072:84lRaB+zSSfIF18Gpt+hEjU+dTKye0VNE4+jjjjcjjjjN7uoF:86RakJq+hSE0VNsjjjjcjjjjE

Score

10^/10

xred backdoor discovery execution persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Launcher.exe

Executes dropped EXE 30 IoCs

pid	Process
2988	._cache_Jint.exe
2884	Synaptics.exe
2364	Runtime Broker.exe
1744	._cache_Synaptics.exe
592	Windows Services.exe
2376	Secure System Shell.exe
1140	Runtime Explorer.exe
1868	Runtime Explorer.exe
1296	Runtime Explorer.exe
688	Runtime Explorer.exe
2904	Runtime Explorer.exe
2992	Runtime Explorer.exe
1168	Runtime Explorer.exe
1808	Runtime Explorer.exe
2888	Runtime Explorer.exe
1104	Runtime Explorer.exe
2440	Runtime Explorer.exe
2392	Runtime Explorer.exe
2900	Runtime Explorer.exe
916	Runtime Explorer.exe
2572	Runtime Explorer.exe
1576	Runtime Explorer.exe
2312	Runtime Explorer.exe
2352	Runtime Explorer.exe
1892	Runtime Explorer.exe
2920	Runtime Explorer.exe
2844	Runtime Explorer.exe
2892	Runtime Explorer.exe
2828	Runtime Explorer.exe
2356	Runtime Explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
2964	Jint.exe
2964	Jint.exe
2964	Jint.exe
2988	._cache_Jint.exe
2988	._cache_Jint.exe
2884	Synaptics.exe
2884	Synaptics.exe
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib
2488	AlphaFS.lib
3056	AlphaFS.lib
3056	AlphaFS.lib

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe"	Launcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Jint.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\IMF\LICENCE.dat	Launcher.exe
File created	C:\Windows\IMF\Runtime Explorer.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Runtime Explorer.exe	Launcher.exe
File created	C:\Windows\IMF\Windows Services.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Windows Services.exe	Launcher.exe
File opened for modification	C:\Windows\IMF\Secure System Shell.exe	Launcher.exe
File created	C:\Windows\IMF\LICENCE.zip	Launcher.exe
File created	C:\Windows\IMF\Secure System Shell.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\LICENCE.zip	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordGenerator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Secure System Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2364	Runtime Broker.exe
2804	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2432	Launcher.exe
1972	powershell.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
2376	Secure System Shell.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe
592	Windows Services.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	Launcher.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: 35	2488	AlphaFS.lib
Token: 35	3056	AlphaFS.lib
Token: SeDebugPrivilege	592	Windows Services.exe
Token: SeDebugPrivilege	2376	Secure System Shell.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2804	EXCEL.EXE
1140	Runtime Explorer.exe
1868	Runtime Explorer.exe
1296	Runtime Explorer.exe
688	Runtime Explorer.exe
2904	Runtime Explorer.exe
2992	Runtime Explorer.exe
1168	Runtime Explorer.exe
1808	Runtime Explorer.exe
2888	Runtime Explorer.exe
1104	Runtime Explorer.exe
2440	Runtime Explorer.exe
2392	Runtime Explorer.exe
2900	Runtime Explorer.exe
916	Runtime Explorer.exe
2572	Runtime Explorer.exe
1576	Runtime Explorer.exe
2312	Runtime Explorer.exe
2352	Runtime Explorer.exe
1892	Runtime Explorer.exe
2920	Runtime Explorer.exe
2844	Runtime Explorer.exe
2892	Runtime Explorer.exe
2828	Runtime Explorer.exe
2356	Runtime Explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2432	2616	DiscordGenerator.exe	30
PID 2616 wrote to memory of 2432	2616	DiscordGenerator.exe	30
PID 2616 wrote to memory of 2432	2616	DiscordGenerator.exe	30
PID 2616 wrote to memory of 2432	2616	DiscordGenerator.exe	30
PID 2616 wrote to memory of 2432	2616	DiscordGenerator.exe	30
PID 2616 wrote to memory of 2432	2616	DiscordGenerator.exe	30
PID 2616 wrote to memory of 2432	2616	DiscordGenerator.exe	30
PID 2432 wrote to memory of 1972	2432	Launcher.exe	31
PID 2432 wrote to memory of 1972	2432	Launcher.exe	31
PID 2432 wrote to memory of 1972	2432	Launcher.exe	31
PID 2432 wrote to memory of 1972	2432	Launcher.exe	31
PID 2432 wrote to memory of 1972	2432	Launcher.exe	31
PID 2432 wrote to memory of 1972	2432	Launcher.exe	31
PID 2432 wrote to memory of 1972	2432	Launcher.exe	31
PID 2616 wrote to memory of 2964	2616	DiscordGenerator.exe	33
PID 2616 wrote to memory of 2964	2616	DiscordGenerator.exe	33
PID 2616 wrote to memory of 2964	2616	DiscordGenerator.exe	33
PID 2616 wrote to memory of 2964	2616	DiscordGenerator.exe	33
PID 2964 wrote to memory of 2988	2964	Jint.exe	34
PID 2964 wrote to memory of 2988	2964	Jint.exe	34
PID 2964 wrote to memory of 2988	2964	Jint.exe	34
PID 2964 wrote to memory of 2988	2964	Jint.exe	34
PID 2964 wrote to memory of 2884	2964	Jint.exe	36
PID 2964 wrote to memory of 2884	2964	Jint.exe	36
PID 2964 wrote to memory of 2884	2964	Jint.exe	36
PID 2964 wrote to memory of 2884	2964	Jint.exe	36
PID 2988 wrote to memory of 2364	2988	._cache_Jint.exe	37
PID 2988 wrote to memory of 2364	2988	._cache_Jint.exe	37
PID 2988 wrote to memory of 2364	2988	._cache_Jint.exe	37
PID 2988 wrote to memory of 2364	2988	._cache_Jint.exe	37
PID 2988 wrote to memory of 788	2988	._cache_Jint.exe	38
PID 2988 wrote to memory of 788	2988	._cache_Jint.exe	38
PID 2988 wrote to memory of 788	2988	._cache_Jint.exe	38
PID 2988 wrote to memory of 788	2988	._cache_Jint.exe	38
PID 2884 wrote to memory of 1744	2884	Synaptics.exe	39
PID 2884 wrote to memory of 1744	2884	Synaptics.exe	39
PID 2884 wrote to memory of 1744	2884	Synaptics.exe	39
PID 2884 wrote to memory of 1744	2884	Synaptics.exe	39
PID 1744 wrote to memory of 3040	1744	._cache_Synaptics.exe	41
PID 1744 wrote to memory of 3040	1744	._cache_Synaptics.exe	41
PID 1744 wrote to memory of 3040	1744	._cache_Synaptics.exe	41
PID 1744 wrote to memory of 3040	1744	._cache_Synaptics.exe	41
PID 788 wrote to memory of 2488	788	AlphaFS.lib	43
PID 788 wrote to memory of 2488	788	AlphaFS.lib	43
PID 788 wrote to memory of 2488	788	AlphaFS.lib	43
PID 3040 wrote to memory of 3056	3040	AlphaFS.lib	44
PID 3040 wrote to memory of 3056	3040	AlphaFS.lib	44
PID 3040 wrote to memory of 3056	3040	AlphaFS.lib	44
PID 2432 wrote to memory of 592	2432	Launcher.exe	45
PID 2432 wrote to memory of 592	2432	Launcher.exe	45
PID 2432 wrote to memory of 592	2432	Launcher.exe	45
PID 2432 wrote to memory of 592	2432	Launcher.exe	45
PID 2432 wrote to memory of 592	2432	Launcher.exe	45
PID 2432 wrote to memory of 592	2432	Launcher.exe	45
PID 2432 wrote to memory of 592	2432	Launcher.exe	45
PID 592 wrote to memory of 2376	592	Windows Services.exe	46
PID 592 wrote to memory of 2376	592	Windows Services.exe	46
PID 592 wrote to memory of 2376	592	Windows Services.exe	46
PID 592 wrote to memory of 2376	592	Windows Services.exe	46
PID 592 wrote to memory of 2376	592	Windows Services.exe	46
PID 592 wrote to memory of 2376	592	Windows Services.exe	46
PID 592 wrote to memory of 2376	592	Windows Services.exe	46
PID 592 wrote to memory of 1140	592	Windows Services.exe	47
PID 592 wrote to memory of 1140	592	Windows Services.exe	47

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\DiscordGenerator.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\DiscordGenerator.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Launcher.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\IMF\Windows Services.exe
    "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\IMF\Secure System Shell.exe
      "C:\Windows\IMF\Secure System Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2376
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1140
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1868
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1296
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:688
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2904
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2992
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1168
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1808
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2888
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1104
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2440
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2392
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2900
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:916
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2572
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1576
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2312
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2352
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1892
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2920
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2844
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2892
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2828
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2356
- C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Jint.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Jint.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\ProgramData\Windows Portable Clipboard\Runtime Broker.exe
      "C:\\ProgramData\\Windows Portable Clipboard\\Runtime Broker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\AlphaFS.lib
      "AlphaFS.lib"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\AlphaFS.lib
        
        "AlphaFS.lib"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\AlphaFS.lib
        
        "AlphaFS.lib"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\AlphaFS.lib
        
        "AlphaFS.lib"
        6⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Discord Generator ^| coded by Nightfall#2512
        7⤵
        
        PID:892

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
959KB

MD5
68a9f00a8e353b412f6f874c319aa5f1

SHA1
53a0e6f2ee1405c98871c5f5eb1fd2bf4b8d8d7d

SHA256
4de87cf5d3b6e29a4f5a870d2f267eb9628ca158ef9504508dec6e06503406cd

SHA512
f00123c27153f0bb540237f80e3526d0d36d7cf873d061a4db3d68de6b10827d6dec5fe2aca43d30365416f6caa7537686ca8c9a78de18aad333d90e188a357b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
031dc390780ac08f498e82a5604ef1eb

SHA1
cf23d59674286d3dc7a3b10cd8689490f583f15f

SHA256
b119adad588ebca7f9c88628010d47d68bf6e7dc6050b7e4b787559f131f5ede

SHA512
1468ad9e313e184b5c88ffd79a17c7d458d5603722620b500dba06e5b831037cd1dd198c8ce2721c3260ab376582f5791958763910e77aa718449b6622d023c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
41fbbb054af69f0141e8fc7480d7f122

SHA1
3613a572b462845d6478a92a94769885da0843af

SHA256
974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c

SHA512
97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
fb79420ec05aa715fe76d9b89111f3e2

SHA1
15c6d65837c9979af7ec143e034923884c3b0dbd

SHA256
f6a93fe6b57a54aac46229f2ed14a0a979bf60416adb2b2cfc672386ccb2b42e

SHA512
c40884c80f7921addced37b1bf282bb5cb47608e53d4f4127ef1c6ce7e6bb9a4adc7401389bc8504bf24751c402342693b11cef8d06862677a63159a04da544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
143a735134cd8c889ec7d7b85298705b

SHA1
906ac1f3a933dd57798ae826bbefa3096c20d424

SHA256
b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2

SHA512
c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\base_library.zip

Filesize
768KB

MD5
eb723b4c1b48d3e8969ff3f4d897b79e

SHA1
a03479e7a916d0ee5e3647322307aceb0b1c30b9

SHA256
ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5

SHA512
4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\python37.dll

Filesize
3.6MB

MD5
86af9b888a72bdceb8fd8ed54975edd5

SHA1
c9d67c9243f818c0a8cc279267cca44d9995f0cf

SHA256
e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f

SHA512
5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\pywintypes37.dll

Filesize
136KB

MD5
77b6875977e77c4619bbb471d5eaf790

SHA1
f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade

SHA256
780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6

SHA512
783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7882\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLlURSKA.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLlURSKA.xlsm

Filesize
21KB

MD5
5d585f9835bd9ae51fade5c3d351834a

SHA1
ffff2b4a40fa87ee9d92b1542859dfce42bb98a7

SHA256
8c0dac74b09af91182e0e7df916eab6516a0af1fdd067c17bf9ec08ee60e1fff

SHA512
ca35e0986dcca53a8202c883ee7aff596f91e1e3fd509d765429a22dc9e34ee62c5ed367b0239d5ba80d52e06a3ef7416abf7de54c84d90d986d2fc7363f8beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLlURSKA.xlsm

Filesize
22KB

MD5
6db3de9c46cbcc1d4ebe6debdb658d56

SHA1
384f7b78bef8a827ad3a2daa0b5ed49ebd9d43ba

SHA256
c6e6c1b8734b6bf447666d8dd901c3c127325ca19439134f2aa0ba34fec32a3e

SHA512
6acf20ba81912ced09660310411991e3635ce2f62368315c82a800c1a288282f9fc5a8980abf2f35285f2c929fad48efc30660894aca47ec3681cd2bd9c07d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLlURSKA.xlsm

Filesize
23KB

MD5
878d8f7686d700116984969f1f257cff

SHA1
0c05fc6e0729419593a7e5fda131f0619eff6fce

SHA256
d60c6b18d7549292bf229cb464acccda5c238f18f566700704b2f1504b08df71

SHA512
3c3ffc2ef54a5f6ee8b93abe28d861a21af229873e567ce71a5103a44615fe2c85d7cc59be1230f732b3a6b96848516ff7e5ad3fe397e6891088208da8cc78c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLlURSKA.xlsm

Filesize
22KB

MD5
5c7d13dcbe67422739c7b3fe4cd27539

SHA1
32ee2e6c69e7f026f35b583db4a350aeebc909f9

SHA256
058ba2c0c926c1d03e021ec88fcb80fcf0da566e69281700b97b8155ed6c8df5

SHA512
d9e54de7efdff745fb3dcb7cc627e811579b378e877cba0ff2365e6c86c40fc3a228c404599c7bb1f00b08f34ca97f3b92d7a722218d2645c536e30a0a951193

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLlURSKA.xlsm

Filesize
24KB

MD5
1c53d2df4f9cbdd7c93d274c8850745f

SHA1
512e17918c1157cdf88359901e7b727834a3bf48

SHA256
03b83776814c6c6a53f6ca484153abfea44d525c9308a2108b1b57705769aa28

SHA512
e8a1ae88aa49eeb3c6a0e406885d54a901f96d6ce0b39aacbdd1742578759b76ad639d2e3d1973516e7349a1bf9855ccfe6b56606af280102c68160d6717329f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLlURSKA.xlsm

Filesize
25KB

MD5
f942f65ce8c986495cb4fccfb009f23e

SHA1
79dded4a98bfad1fa805c026aa7ae2a34568df5e

SHA256
7b0963199c28130b759f6334fd6a4c50744a2d7d6320e74c097e30775f0ae49d

SHA512
db3a7b8721a954c274cb71be2897674429a76fba81b8964b6c3ea05e9e0303fc611f9dbd2083645c625b8deb71ce0de42942316d00b38952fc2db7a94344d279

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\IMF\Runtime Explorer.exe

Filesize
152KB

MD5
03f5e0141f4519f0c5ac26ce0b036a0f

SHA1
4f7a2a230e7a194a898cc9f2d563ac8777fe99c0

SHA256
78a408c628e33e3332645f480ee7ce01b5dc24fc96cf16ffa0868d43f3d421ef

SHA512
86a68f040654006e06b51c5714e0d7168d0d1bef7f3c39843632068104f773f771d21be4bc251d712f3e915cd1058f89ad31d9e3f3d9e7cf6da6785cbf22d8d7

Download Submit
C:\Windows\IMF\Secure System Shell.exe

Filesize
45KB

MD5
7d0c7359e5b2daa5665d01afdc98cc00

SHA1
c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

SHA256
f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

SHA512
a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

Download Submit
C:\Windows\IMF\Windows Services.exe

Filesize
46KB

MD5
ad0ce1302147fbdfecaec58480eb9cf9

SHA1
874efbc76e5f91bc1425a43ea19400340f98d42b

SHA256
2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

SHA512
adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

Download Submit
\ProgramData\Windows Portable Clipboard\Runtime Broker.exe

Filesize
255KB

MD5
8629c65903ca26e7ffada84c69ae0972

SHA1
015673ba0498ae35bd4da1c3ba45bab5fbfa18ce

SHA256
adc6887d772f9f47ab67406cc9ea7dd0177b94d84f98124fc712b9e66208dd0d

SHA512
6a3b8717daeaed8dde18cedcb1c6fc31932f01234a63b80f37c6960f7212255cd32d1c3135d84da773e7b94ad1f326cc965463b9fc68f35b8b5449ff70d79af7

Download Submit
\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Jint.exe

Filesize
206KB

MD5
01954f322fc670b93d59b9bdf710d3f5

SHA1
7c9e9af5da35de32c41d9a883c61d6a773905059

SHA256
43a1c5f3292787add7507c3aa57179682b69dc499965039c1179560bd2b567fd

SHA512
c160714b91ee7f86edb3462d7b88b8121ef369aa24499708e2e05c41cf31f4677d4e8da56b0b495cc60eae98768b7110722790f316da88eb51c3a9100f7baa05

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\_ctypes.pyd

Filesize
131KB

MD5
9a69561e94859bc3411c6499bc46c4bd

SHA1
3fa5bc2d4ffc23c4c383252c51098d6211949b99

SHA256
6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c

SHA512
31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
5cce7a5ed4c2ebaf9243b324f6618c0e

SHA1
fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3

SHA256
aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3

SHA512
fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
242829c7be4190564becee51c7a43a7e

SHA1
663154c1437acf66480518068fbc756f5cabb72f

SHA256
edc1699e9995f98826df06d2c45beb9e02aa7817bae3e61373096ae7f6fa06e0

SHA512
3529fde428affc3663c5c69baee60367a083841b49583080f0c4c7e72eaa63cabbf8b9da8ccfc473b3c552a0453405a4a68fcd7888d143529d53e5eec9a91a34

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
dd899c6ffecce1dca3e1c3b9ba2c8da2

SHA1
2914b84226f5996161eb3646e62973b1e6c9e596

SHA256
191f53988c7f02dd888c4fbf7c1d3351570f3b641146fae6d60acdae544771ae

SHA512
2db47faa025c797d8b9b82de4254ee80e499203de8c6738bd17ddf6a77149020857f95d0b145128681a3084b95c7d14eb678c0a607c58b76137403c80fe8f856

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7882\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
memory/592-368-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/2376-371-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2432-3-0x0000000000AD0000-0x0000000000AE4000-memory.dmp

Filesize
80KB

Download
memory/2432-5-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-7-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-4-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-369-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-6-0x0000000000690000-0x000000000070E000-memory.dmp

Filesize
504KB

Download
memory/2616-0-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/2616-12-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-2-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-1-0x0000000001310000-0x000000000134E000-memory.dmp

Filesize
248KB

Download
memory/2804-160-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2804-426-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2884-499-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2884-504-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2884-552-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2964-35-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download